WordPress Vulnerability Report � January 1, 2025

In this report, 81 vulnerabilities have been publicly disclosed. Security patches for 75 of these plugins are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 6 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

WordPress Core

WordPress 6.7.1 is available! This minor release features 16 bug fixes throughout Core and the Block Editor.

WordPress Plugins � 75 Patched / 6 Unpatched

Plugin:: NEX-Forms � Ultimate Form Builder � Contact forms and much more
Plugin Slug:: nex-forms-express-wp-form-builder
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-10862

Plugin:: WP-SVG
Plugin Slug:: wp-svg
Installations: 10+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-11644

Plugin:: Exhibit to WP Gallery
Plugin Slug:: exhibit-to-wp-gallery
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-12096

Plugin:: float block
Plugin Slug:: float-block
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-11645

Plugin:: GTPayment Donations
Plugin Slug:: gtpayment-donation
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: No Fix
Severity Score:: High
CVE:: 2024-11607

Plugin:: WP Publications
Plugin Slug:: wp-publications
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: No Fix
Severity Score:: Medium
CVE:: 2024-11605

Plugin:: Elementor Website Builder � More Than Just a Page Builder
Plugin Slug:: elementor
Installations: 10,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.25.10
Severity Score:: Medium
CVE:: 2024-10453

Plugin:: WPForms � Easy Form Builder for WordPress � Contact Forms, Payment Forms, Surveys, & More
Plugin Slug:: wpforms-lite
Installations: 6,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.2.3
Severity Score:: Medium
CVE:: 2024-11223

Plugin:: Jetpack � WP Security, Backup, Speed, & Growth
Plugin Slug:: jetpack
Installations: 4,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 14.1-a.1
Severity Score:: Medium
CVE:: 2024-10858

Plugin:: Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)
Plugin Slug:: header-footer-elementor
Installations: 2,000,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.6.47
Severity Score:: Medium
CVE:: 2024-11230

Plugin:: Ninja Forms � The Contact Form Builder That Grows With You
Plugin Slug:: ninja-forms
Installations: 700,000+
Vulnerability:: Arbitrary Code Execution
Patched in Version:: 3.8.23
Severity Score:: Medium
CVE:: 2024-12238

Plugin:: Broken Link Checker
Plugin Slug:: broken-link-checker
Installations: 600,000+
Vulnerability:: Server Side Request Forgery (SSRF)
Patched in Version:: 2.4.2
Severity Score:: Medium
CVE:: 2024-10903

Plugin:: Advanced Google reCAPTCHA
Plugin Slug:: advanced-google-recaptcha
Installations: 100,000+
Vulnerability:: Other Vulnerability Type
Patched in Version:: 1.26
Severity Score:: Medium
CVE:: 2024-12034

Plugin:: Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)
Plugin Slug:: bdthemes-element-pack-lite
Installations: 100,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.10.13
Severity Score:: Medium
CVE:: 2024-11852

Plugin:: GiveWP � Donation Plugin and Fundraising Platform
Plugin Slug:: give
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.19.0
Severity Score:: High
CVE:: 2024-11921

Plugin:: Tracking Code Manager
Plugin Slug:: tracking-code-manager
Installations: 100,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.4.0
Severity Score:: Medium
CVE:: 2024-8721

Plugin:: Easy Digital Downloads � eCommerce Payments and Subscriptions made easy
Plugin Slug:: easy-digital-downloads
Installations: 50,000+
Vulnerability:: Arbitrary File Download
Patched in Version:: 3.3.3
Severity Score:: Medium
CVE:: 2024-12875

Plugin:: Print Invoice & Delivery Notes for WooCommerce
Plugin Slug:: woocommerce-delivery-notes
Installations: 30,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.4.1
Severity Score:: Medium
CVE:: 2024-12210

Plugin:: Appointment Booking Calendar Plugin and Scheduling Plugin � BookingPress
Plugin Slug:: bookingpress-appointment-booking
Installations: 20,000+
Vulnerability:: SQL Injection
Patched in Version:: 1.1.22
Severity Score:: High
CVE:: 2024-11726

Plugin:: Data Tables Generator by Supsystic
Plugin Slug:: data-tables-generator-by-supsystic
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.10.37
Severity Score:: Medium
CVE:: 2024-56253

Plugin:: MP3 Audio Player � Music Player, Podcast Player & Radio by Sonaar
Plugin Slug:: mp3-music-player-by-sonaar
Installations: 20,000+
Vulnerability:: Broken Access Control
Patched in Version:: 5.9
Severity Score:: Medium
CVE:: 2024-56266

Plugin:: Post Grid Elementor Addon
Plugin Slug:: post-grid-elementor-addon
Installations: 20,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.19
Severity Score:: Medium
CVE:: 2024-56268

Plugin:: AyeCode Connect
Plugin Slug:: ayecode-connect
Installations: 10,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3.9
Severity Score:: Medium
CVE:: 2024-56255

Plugin:: GeoDirectory � WP Business Directory Plugin and Classified Listings Directory
Plugin Slug:: geodirectory
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.85
Severity Score:: Medium
CVE:: 2024-56259

Plugin:: WordPress Simple Shopping Cart
Plugin Slug:: wordpress-simple-paypal-shopping-cart
Installations: 10,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.0.8
Severity Score:: Medium
CVE:: 2024-12622

Plugin:: WP Data Access � App, Table, Form and Chart Builder plugin
Plugin Slug:: wp-data-access
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 5.5.23
Severity Score:: Critical
CVE:: 2024-12428

Plugin:: WP Post Author � Boost Your Blog’s Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder
Plugin Slug:: wp-post-author
Installations: 10,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.8.3
Severity Score:: High
CVE:: 2024-56247

Plugin:: Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages
Plugin Slug:: wplegalpages
Installations: 10,000+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 3.2.8
Severity Score:: Medium
CVE:: 2024-12636

Plugin:: WP Datepicker
Plugin Slug:: wp-datepicker
Installations: 9,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.5
Severity Score:: High
CVE:: 2024-12468

Plugin:: Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Plugin Slug:: bit-form
Installations: 8,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.17.4
Severity Score:: Medium
CVE:: 2024-12190

Plugin:: WP Travel Engine � Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor
Plugin Slug:: wte-elementor-widgets
Installations: 8,000+
Vulnerability:: Local File Inclusion
Patched in Version:: 1.3.8
Severity Score:: High
CVE:: 2024-12272

Plugin:: Nexter Blocks � WordPress Gutenberg Blocks & 1000+ Starter Templates
Plugin Slug:: the-plus-addons-for-block-editor
Installations: 7,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.0.5
Severity Score:: Medium
CVE:: 2024-56246

Plugin:: WPSSO Core � Complete and Optimized Structured Data SEO
Plugin Slug:: wpsso
Installations: 7,000+
Vulnerability:: Broken Access Control
Patched in Version:: 18.18.2
Severity Score:: Medium
CVE:: 2024-56243

Plugin:: Arconix Shortcodes
Plugin Slug:: arconix-shortcodes
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.15
Severity Score:: Medium
CVE:: 2024-56242

Plugin:: Magazine Blocks � Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid
Plugin Slug:: magazine-blocks
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.21
Severity Score:: Medium
CVE:: 2024-56258

Plugin:: WPKoi Templates for Elementor
Plugin Slug:: wpkoi-templates-for-elementor
Installations: 5,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.1.4
Severity Score:: Medium
CVE:: 2024-56241

Plugin:: Booking calendar, Appointment Booking System
Plugin Slug:: booking-calendar
Installations: 4,000+
Vulnerability:: SQL Injection
Patched in Version:: 3.2.20
Severity Score:: High
CVE:: 2024-10856

Plugin:: Custom Login Page Styler � Limit Login Attempts � Restrict Content With Login � Redirect After Login � Change Login Url
Plugin Slug:: login-page-styler
Installations: 4,000+
Vulnerability:: Privilege Escalation
Patched in Version:: 7.1.2
Severity Score:: High
CVE:: 2024-12594

Plugin:: Responsive Blocks � WordPress Gutenberg Blocks
Plugin Slug:: responsive-block-editor-addons
Installations: 4,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.9.8
Severity Score:: Medium
CVE:: 2024-12268

Plugin:: Ashe Extra
Plugin Slug:: ashe-extra
Installations: 3,000+
Vulnerability:: Broken Access Control
Patched in Version:: 1.3
Severity Score:: Medium
CVE:: 2024-56244

Plugin:: Move Addons for Elementor
Plugin Slug:: move-addons
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.3.7
Severity Score:: Medium
CVE:: 2024-56254

Plugin:: WP-Appbox
Plugin Slug:: wp-appbox
Installations: 3,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 4.5.4
Severity Score:: High
CVE:: 2024-12710

Plugin:: Premium Blocks � Gutenberg Blocks for WordPress
Plugin Slug:: premium-blocks-for-gutenberg
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.1.43
Severity Score:: Medium
CVE:: 2024-56245

Plugin:: Pronamic Google Maps
Plugin Slug:: pronamic-google-maps
Installations: 2,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.3.3
Severity Score:: Medium
CVE:: 2024-56240

Plugin:: WC Price History for Omnibus
Plugin Slug:: wc-price-history
Installations: 2,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.4
Severity Score:: Medium
CVE:: 2024-12617

Plugin:: Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery � Upload, Vote, Sell via PayPal, Social Share Buttons
Plugin Slug:: contest-gallery
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 24.0.4
Severity Score:: Medium
CVE:: 2024-56237

Plugin:: DirectoryPress � Business Directory And Classified Ad Listing
Plugin Slug:: directorypress
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 3.6.17
Severity Score:: Medium
CVE:: 2024-10584

Plugin:: ELEX WooCommerce Dynamic Pricing and Discounts
Plugin Slug:: elex-woocommerce-dynamic-pricing-and-discounts
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.1.8
Severity Score:: Medium
CVE:: 2024-12266

Plugin:: Enter Addons � Ultimate Template Builder for Elementor
Plugin Slug:: enteraddons
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.2.1
Severity Score:: Medium
CVE:: 2024-56252

Plugin:: MarketKing � Ultimate WooCommerce Multivendor Marketplace Solution
Plugin Slug:: marketking-multivendor-marketplace-for-woocommerce
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 2.0.25
Severity Score:: Medium
CVE:: 2024-12413

Plugin:: PlugVersions � Easily rollback to previous versions of your plugins
Plugin Slug:: plugversions
Installations: 1,000+
Vulnerability:: Broken Access Control
Patched in Version:: 0.0.8
Severity Score:: High
CVE:: 2024-12881

Plugin:: Themify Audio Dock
Plugin Slug:: themify-audio-dock
Installations: 1,000+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.5
Severity Score:: Medium
CVE:: 2024-56239

Plugin:: Tourfic � Ultimate Hotel Booking, Travel Booking & Car Rental WordPress Plugin | WooCommerce Booking
Plugin Slug:: tourfic
Installations: 1,000+
Vulnerability:: SQL Injection
Patched in Version:: 2.15.4
Severity Score:: High
CVE:: 2024-12032

Plugin:: ConvertCalculator for WordPress
Plugin Slug:: convertcalculator
Installations: 900+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.2
Severity Score:: Medium
CVE:: 2024-56302

Plugin:: Event Espresso � Event Registration & Ticketing Sales
Plugin Slug:: event-espresso-decaf
Installations: 900+
Vulnerability:: Cross Site Request Forgery (CSRF)
Patched in Version:: 5.0.31.decaf
Severity Score:: Medium
CVE:: 2024-56251

Plugin:: Hestia Nginx Cache
Plugin Slug:: hestia-nginx-cache
Installations: 800+
Vulnerability:: Broken Access Control
Patched in Version:: 2.4.1
Severity Score:: Medium
CVE:: 2024-56236

Plugin:: Just Writing Statistics
Plugin Slug:: just-writing-statistics
Installations: 800+
Vulnerability:: SQL Injection
Patched in Version:: 4.8
Severity Score:: High
CVE:: 2024-56250

Plugin:: WPMasterToolKit (WPMTK) � All in one plugin
Plugin Slug:: wpmastertoolkit
Installations: 800+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.14.0
Severity Score:: Critical
CVE:: 2024-56249

Plugin:: WPMasterToolKit (WPMTK) � All in one plugin
Plugin Slug:: wpmastertoolkit
Installations: 800+
Vulnerability:: Arbitrary File Download
Patched in Version:: 1.14.0
Severity Score:: Medium
CVE:: 2024-56248

Plugin:: Loan Comparison
Plugin Slug:: loan-comparison
Installations: 500+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 2.0.1
Severity Score:: Medium
CVE:: 2024-12814

Plugin:: WP on AWS
Plugin Slug:: wp-migrate-2-aws
Installations: 400+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 5.2.2
Severity Score:: High
CVE:: 2024-12408

Plugin:: Text Prompter � Unlimited chatgpt text prompts for openai tasks
Plugin Slug:: ai-content
Installations: 300+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.0.8
Severity Score:: Medium
CVE:: 2024-11896

Plugin:: Content No Cache | Serve uncached partial content even when you add it to a page that is fully cached.
Plugin Slug:: content-no-cache
Installations: 300+
Vulnerability:: Broken Access Control
Patched in Version:: 0.1.3
Severity Score:: Medium
CVE:: 2024-12103

Plugin:: ACF City Selector
Plugin Slug:: acf-city-selector
Installations: 200+
Vulnerability:: Arbitrary File Upload
Patched in Version:: 1.15.0
Severity Score:: Medium
CVE:: 2024-56264

Plugin:: Export Customers Data
Plugin Slug:: export-customers-data
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.2.4
Severity Score:: High
CVE:: 2024-12405

Plugin:: Project Showcase � A WordPress Plugin to Display Projects in Various Layouts
Plugin Slug:: gs-projects
Installations: 200+
Vulnerability:: Cross Site Scripting (XSS)
Patched in Version:: 1.1.2
Severity Score:: Medium
CVE:: 2024-56261